vulnerability
Arch Linux: Cross-site scripting (CVE-2020-35475)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Dec 18, 2020 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Dec 18, 2020
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
Solution
arch-linux-upgrade-latest
References
- CVE-2020-35475
- https://attackerkb.com/topics/CVE-2020-35475
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/
- URL-https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
- URL-https://phabricator.wikimedia.org/T268917
- URL-https://security.archlinux.org/ASA-202101-22
- URL-https://www.debian.org/security/2020/dsa-4816
- CWE-79
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.